The ELF Virus Writing HOWTO: sparc-debian2.2-linux
Prev 

10. The entry point

 

The longest part of the journey is said to be the passing of the gate.

 Marcus Terentius Varro

If we decide to leave entry_point as it is, we have to patch something else. One approach is to disassemble the code, starting at entry_point, find the first call (or jmp) and abuse it. This requires way too much intelligence for a virus, though. But then we are operating in a homogeneous environment, having one compiler and one C run-time library for all. The startup code should be the same for every executable.

Command: pre/sparc-debian2.2-linux/entry_point/gdb/Linux.sh 
#!/bin/bash
pre/sparc-debian2.2-linux/entry_point/gdb_core.sh \
| pre/sparc-debian2.2-linux/magic_elf/gdb_format.pl

We work on the shell found in A kingdom for a shell. The tool from Extracting e_entry retrieves the entry point. On some shells a read from a pipe opens a sub-shell, i.e. it does not export the variables to the surrounding scope. The while loop is executed just once. Its only purpose is to build a block for read.

Command: pre/sparc-debian2.2-linux/entry_point/gdb_core.sh 
#!/bin/bash
shell=$( /bin/sed 1q \
	out/sparc-debian2.2-linux/scanner/segment_padding/infect )

tmp/sparc-debian2.2-linux/evil_magic/e_entry ${shell} \
| while read entry_point offset
do
  /bin/echo "[entry_point=${entry_point}]"
  /usr/bin/gdb ${shell} -q <<EOT 2>&1
	
	break *0x${entry_point}
	run
	disassemble 0x${entry_point} 0x${entry_point}+0x100
EOT
done

Output: out/sparc-debian2.2-linux/entry_point/sh.gdb 
Starting program:             /bin/bash     
0x1f598 <_start>:             mov           %g0, %fp
0x1f59c <_start+4>:           sub           %sp, 0x18, %sp
0x1f5a0 <_start+8>:           ld            [ %sp + 0x58 ], %o1
0x1f5a4 <_start+12>:          add           %sp, 0x5c, %o2
0x1f5a8 <_start+16>:          sethi         %hi(0x1f400), %o0
0x1f5ac <_start+20>:          sethi         %hi(0x1f400), %o3
0x1f5b0 <_start+24>:          sethi         %hi(0x75000), %o4
0x1f5b4 <_start+28>:          or            %o0, 0x2a4, %o0
0x1f5b8 <_start+32>:          or            %o3, 0x174, %o3
0x1f5bc <_start+36>:          or            %o4, 0x154, %o4
0x1f5c0 <_start+40>:          mov           %g1, %o5
0x1f5c4 <_start+44>:          call          0x9ab68 <__libc_start_main>
0x1f5c8 <_start+48>:          nop           
0x1f5cc <_start+52>:          unimp         0

PrevHome 
Additional code segments